Attackers Exploiting Recently Patched Adobe Flash Flaw

Attackers are actively exploiting a Flash vulnerability that Adobe just released a fix for in its quarterly security update a few days ago.

Adobe patched the Flash bug (CVE-2010-2110) as part of its quarterly update (APSB11-18) on June 14. There were some attacks exploiting the problem in the wild, Adobe said at the time. Security researchers at Websense reported seeing new drive-by and spear phishing attacks taking advantage of the issue in the Security Labs blog on June 17.

It is being exploited in the wild on a "fairly large scale," Shadow Server's Steven Adair wrote, noting that the team first learned about the exploit on June 9.

Unless Adobe had received earlier reports of the exploit, this would mean the vendor had turned around a patch in five days. "That is the good news," Adair wrote.

The attack file has been used as a drive-by in several legitimate sites, including non-governmental organizations around the world, aerospace companies, a Korean news site, and Indian government Website and a Taiwanese university. Because it runs quietly in the background, the user will not notice a thing, especially since the exploit will not crash the browser, according to Adair. Users running NoScript and other similar plugins may see the request to load Flash files.

The vulnerability is triggered when a Website is viewed in a browser that has an unpatched Flash Player plugin. A simple command loads the rogue SWF file, which uses heap information leakage to overwrite the legitimate code to execute malicious code, Websense's Patrik Runald wrote. Once the shellcode has executed, it will download an encrypted binary file onto the computer.

"Each exploit downloads a different file from a different server," Runald said.

Adobe has taken a beating over the past few months as it released multiple out-of-band updates to fix several vulnerabilities in its Flash Player software. As Adobe software continues to become more prevalent, attackers are increasingly shifting focus, Roel Schouwenberg, senior antivirus researcher at Kaspersky Lab, said on a June 17 panel on zero day attacks.

"Adobe is in the same situation where Microsoft was 5 years ago," Schouwenberg said.

System administrators should move quickly to patch the vulnerabilities. "The vast majority of attacks out there are against older bugs, not zero days," David Lenoe, head of the Product Security Incident Response Team at Adobe, said during the same panel.

Administrators and end-users are often slow about applying patches, with majority of the folks saying "remind me later," Uri Rivner, head of new technologies in the identity protection division at RSA, said on the panel.

That said, Flash Player actually has a pretty good - "really high" - rate of patching, Lenoe said.